A suspect threat actor with ties to China exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day attack against a European government entity and an African-managed service provider (MSP).
Telemetry evidence gathered by Google-owned Mandiant indicates that the vulnerability was exploited as early as October 2022, nearly two months before patches were released.
In a technical report, Mandiant researchers stated, “This incident continues China’s pattern of exploiting internet-facing devices, specifically those used for managed security purposes (such as firewalls, IPSIDS appliances, etc.)”
The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant of which was designed to operate on Fortinet’s FortiGate firewalls.
The in question intrusion vector relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could lead to unauthenticated remote code execution via specially crafted requests.
Unknown hacking groups have exploited the vulnerability to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server, Fortinet disclosed earlier this month.
The most recent findings from Mandiant indicate that the threat actor exploited the zero-day vulnerability to gain access to targeted networks for espionage operations.
“With BOLDMOVE, attackers developed not only an exploit but also malware that demonstrates an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” the threat intelligence firm said.
The C-written malware is said to have both Windows and Linux variants, with the Linux version capable of reading data from a Fortinet-specific file format. Metadata analysis of the Windows variants of the backdoor indicates that they were compiled as early as 2021, even though no samples have been found in the wild.
BOLDMOVE is designed to perform a system scan and is capable of receiving commands from a command-and-control (C2) server, allowing attackers to perform file operations, spawn a remote shell, and relay traffic via the infected host.
Corroborating Fortinet’s report, an extended Linux sample of the malware includes additional features to disable and manipulate logging features to avoid detection.
The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices, according to Mandiant.